II. RELATED WORK. A. Software Vulnerabilities

(1)

Security Data Mining in an Ontology for Vulnerability Management

Ju An Wang

School of Computing and Software Engineering

Southern Polytechnic State University

1100 S Marietta Pkwy, Marietta, GA, 30060, USA

Minzhe Guo

School of Computing and Software Engineering

Southern Polytechnic State University

1100 S Marietta Pkwy, Marietta, GA, 30060, USA

[email protected]

Abstract — Information security is such a complex topic that

the sheer scope and volume of available security data overwhelms security professionals and managers alike. This paper discusses the rationale of applying semantic technology to information security with a focus on software vulnerability management. With semantic technologies, we can describe the pattern of external threats and internal vulnerabilities formally and precisely. Based on this, we can make inference and make high-level decisions accordingly. We have constructed an ontology for security vulnerabilities, which defines the key concepts in vulnerability management and their relationships. We introduce the design and reasoning within the ontology with examples in vulnerability analysis and assessment. The result of this paper provides a promising pathway to making security automation successful through semantic technologies.

Keywords – Software vulnerabilities, Information security, Measurement, Semantic technology, Ontology

I. I

NTRODUCTION

Our society and important infrastructures are more and more dependent on information security. Telecommunications, energy, banking and finance, transportation, water, emergency services, and essential government services are now connected to each other via information systems and to a large extent they are operated by various information systems. Software and IT vulnerabilities jeopardize infrastructure operations, business operations and services, intellectual property, and consumer trust. Information security is a critical part of business strategy. Failing in information security may cause business disruptions leading to loss of money, time, products, reputation, sensitive information, and potential loss of life through cascading effects on critical systems and infrastructure. Companies are now demanding new levels of risk management, assessment, reporting, and protection. However, information security is such a complex topic that the sheer scope and volume of available security data overwhelms security professionals and managers alike. We need new technology to handle the increasingly complicated data resulted in security management.

Semantic technologies are being increasingly applied in the business arena and recently in information security research [1, 5, 12, 13]. The essential idea of semantic technologies is to assign meaning to information in a way that machine can understand the information thus the machine can process it automatically. It describes information using RDF (Resource Description Framework) and OWL (Web Ontology Language) to make the information machine understandable. By its nature, semantic technology is an infrastructure technology on top of which we can build various intelligent applications [1]. Some typical applications

and use cases of semantic technology were collectively listed by the World Wide Web Consortium (W3C) at [31]. Perhaps the most interesting development in semantic applications is security ontology and its related applications [5, 12, 13]. For instance, Andreas Ekelhart et al. [5] developed an ontology to organize and capture the meaning of structured knowledge about threats, safeguards, assets and their relationship. Gernot Goluch et. al. [12] applied semantic technologies in risk assessment and high-level business process management.

The key of applying semantic technologies to information security is to make machines understand information assets and the threats to these assets. An information asset is a piece of data valuable to an individual or an organization. An information asset can exist in different formats: text, images, audio clips, etc. We are living at a time when information is rapidly generated and propagated. Information assets are valuable as they are either proprietary or they form a part of an individual or an organization’s identity or competitive advantages, and they are not easily replaceable without cost, skill, time, resources or a combination. While information is valuable, it is fragile. During its life time, information can be intercepted, modified, interrupted, fabricated, or destructed. The threats agents include hackers, crackers, attackers, and script kiddies. However, those external threats would not cause much damage to an information asset if it does not have vulnerabilities itself internally as illustrated by Figure 1 below.

Figure 1 Internal and External Risk Sources

Data mining involves the use of data analysis tools to discover previously unknown, valid patterns and relationships in large data sets. Thus data mining is a natural way to deal with huge amount of security data in vulnerability management. It is an effective means to identify internal security flaws and potential attacking activities from outside. In order to build smart security applications, we may use the idea from data mining and knowledge discovery areas. Nevertheless, we have to formally define those fundamental concepts and describe their relationship precisely. Our approach is to use ontology, a technology that has been successfully applied in semantic web research and development.

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

631

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

631

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

621

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

621

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

621

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

621

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

603

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

603

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

603

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

603

2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

(2)

An ontology is a specification of a conceptualization. It captures the relationship among concepts and expresses them in the way a machine can understand and can act upon. Thus it is essential to establish security ontology before can could automate security management.

The remainder of this paper is organized as follows: In Section 2, we discuss briefly the related work in applying semantic technologies to security in general and in vulnerability modeling in particular. Section 3 presents the design and construction of an ontology for software vulnerabilities. Section 4 includes some examples of applications. Finally in Section 5 we summarize our work, discuss a semantic approach to security content automation as well as future research directions.

II. R

ELATED

W

ORK

A number of papers have been published in the area of semantic technology, ontology, and applying semantic technologies to information security. Some effort focused on building security ontology to model the security requirements or security policy. Lee et al. [31] argue that the nonfunctional nature of security requirements, which are usually identified in regulatory documents for certification and accreditation activities, imposes complex constraints on behavior of software systems and makes them hard to understand, predict and control. Thus they propose to build problem domain ontology from regulatory documents enforced by the DITSCAP – Department of Defense Information Technology Security Certification and Accreditation Process. A common language for extracting concepts from regulatory documents is presented, as well. Amaral et al. [39] tries to formalize the text-based information in the domain of Information Security, such as security policies defined by organizations. They propose techniques used to extract knowledge from natural language texts to form the ontology which consists of a vocabulary for the Information Security domain, logical forms corresponding to statements in the text and a set of axioms used for inference. A tool providing automatic support for the formalization process is also described in their paper.

There are quite a number of papers focusing on building generic security ontology to support the information system security management or risk analysis. Tsoumas et al. [40] argue that a structured approach might be employed into Information System (IS) security management so as to support the process leading from informal, high-level statements found in policy and risk analysis documents to deployable technical controls. Authors extend the DMTF Common Information Model (CIM) standard in order to use it as a container for IS security-related information, and then enrich the CIM extension with ontological semantics in order to support knowledge sharing and reuse defining a generic Security Ontology (SO). Furthermore, the necessary steps to establish the IS security management framework is discussed in the paper, as well. Mouratidis et al. [41] identify the need to extend the Tropos ontology [46] to consider security issues. The Tropos ontology is based on social hierarchies and adapts components of the i* framework [47]. Authors improve the social ontology created for i* framework with new security concepts: security constraints, secure entities and secure dependences between actors. Ekelhart et al [27] propose a security ontology framework which unifies existing approaches to support IT-Security risk analysis. The framework consists of four components: a security ontology based on the security and dependability taxonomy by Landwehr [48], the

underlying risk analysis methodology, concepts of the (IT) infrastructure domain and a simulation enabling enterprises to analyze various policy scenarios. Their recent researches on applying the security ontology to risk assessment can be found at [41, 42].

It is interesting to notice that some research work on using ontology to model security attacks. Undercoffer et al. [26] state the benefit of transitioning from taxonomies to ontologies and propose an ontology to model computer attacks for sharing the knowledge in intrusion detection systems. Authors use DAML+OIL and DAMLJessKB to implement the ontology and present use case scenarios to illustrate the benefit of utilizing the ontology. Vorobiev et al. [30] analyze and classify the Web services security threats systematically in order to build a security attack ontology with the objective to allow various firewalls and intrusion detection systems to share a common understanding of the attack knowledge and to allow the reasoning services and automatic analyzing.

Finally, there are a few papers concentrate on adding security to semantic web research. Denker et al. [29] have created several ontologies for specifying security-related information in Web Services first using DAML+OIL [44] and later OWL [29]. They defined ontology with the goal to enable high-level markup of web resources, services, and agents and to provide a layer of abstraction on top of various web service security standards. Two sub-ontologies - “security mechanisms” that captures high-level security notations and credentials defining different authentication methods make up the ontology. Kim et al. [32] focus their research on annotation of functional aspects of resources and propose to build an NRL security ontology to represent security statements like mechanisms, protocols, algorithms and credentials. The NRL security ontology employs an architecture that is easy to use and easy to extend. Bao et al. [45] investigate how to secure the sharing of ontologies between autonomous entities. They provide a framework for privacy-preserving reasoning in order to allow an agent to safely answer queries against its knowledge base using inferences based on both the hidden and visible part of the knowledge base, without revealing the hidden knowledge.

Our approach differentiates with the previous work in the following aspects: (1) Our ontology focuses on the problem domain of software vulnerability; (2) The construction of our ontology is based on the widely accepted standards like CVE, CPE, CWE and CAPEC [3,4], and our ontology can be abundance in instance and relationship; (3) Our ontology can be used to study the relationship between vulnerabilities. This provides a security data mining mechanism for software vulnerability management.

III. V

ULNERABILITY

M

ODELING

A. Software Vulnerabilities

Vulnerability evaluation plays a central role for security posture and risk management. Vulnerability refers to flaws or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s security policy. Any flaw or weakness in an information system could be exploited to gain unauthorized access to, damage or compromise the information system. In order to evaluate vulnerability, we need well-defined security metrics to measure the severity level of a vulnerability based on scientific, systematic, and quantitative approaches. Without well-defined security metrics, companies find themselves difficult to compare and select different security options accurately. Cost-benefit analysis and ROI (Return on Investment) calculations

632 632 622 622 622 622 604 604 604 604 598

(3)

are becoming standard pre-requisites for any information security product sale or purchase.

The CVSS (Common Vulnerability Scoring System) [18] provides a tool to quantify the severity and risk of a vulnerability to an information asset in a computing environment. It was designed by NIST (National Institute of Standard and Technology) and a team of industry partners. CVSS metrics for vulnerabilities are divided into three groups: Base metrics measure the intrinsic and fundamental characteristics of vulnerabilities that do not change over time or in different environments. Temporal metrics measure those attributes of vulnerabilities that change over time but do not change among user environments. Environmental metrics measure those vulnerability characteristics that are relevant and unique to a particular user’s environment.

B. Common Vulnerability and Exposures

The MITRE Corporation [4] put together a list of common vulnerabilities, called CVE, of publicly know information security vulnerabilities and exposures. Each vulnerability on this list has a unique identifier enabling data exchange between security products and providing a baseline index point for evaluating coverage of tools and services [24]. Each CVE identifier includes appropriate references. CVE is now the industry standard for vulnerability and exposure names. A vulnerability in CVE could be represented using XML as shown in Figure 2:

Figure 2 Representing a vulnerability with XML

All information about a software vulnerability is incorporated in the <item> element and the attribute “name” is used to provide a unique name of the vulnerability. Other than the name of the vulnerability, the most important part of a CVE item is the <desc> element which is used to provide a brief and formal description about the vulnerability. Generally, the description consists of concepts that are needed to provide a meaningful description of the vulnerability, such as the type of the vulnerability, the affected IT system, the attacker, the consequences, etc. Through the analysis of CVE vulnerability expressions, we concluded the syntax of the <desc> element that

CVE used to describe vulnerabilities could be expressed with a simple Extended BNF (EBNF) as follows:

CVE_VULNERABILITY ::= ( IT_SYSTEM VERSION+ )+

|“because of ” REASON* |“when” CONDITION*

|“in” (COMPONENT|FILE|FUNCTION)* “has” (specified|unspecified) VULNERABILITY

“allow” (specified|unspecified) ATTACKER+ “to cause” CONSEQUENCE+

|“via” ATTACK*

Thus the vulnerability in Figure 2 could be expressed as: CVE-2008-5070.DESC ::=

Pro Chat Rooms 3.0.3 when magic_quotes_gpc is diabled has the SQL Injection Vulnerability

allow remote attackers

to cause arbitrary SQL commands execution via the gud parameter to (1)index.php and

(2)admin.php

From the syntax and examples described above, we notice that the symbols such as “IT_System”, “Version”, etc, that appear in the syntax are the minimally necessary concepts to describe a vulnerability, so that they will be included in our vulnerability ontology described in the next section.

C. Ontology for Security Vulnerabilities

An ontology is a specification of concepts and their relationship. Ontology represents knowledge in a formal and structured form as well as provides a better tool for communication, reusability and organization of knowledge. Therefore, ontology is a knowledge representation (KR) system based on Description Logics (DLs), which is an umbrella name for a family of KR formalisms representing knowledge in various domains. The DL specifies a knowledge domain as the “world” by first defining the relevant concepts of the domain, and then using these concepts to specify properties of objects and individuals occurring in the domain [35]. In information security, a lot of concepts are vaguely defined thus it causes misunderstanding among stake holders due to the language ambiguity. It is important to have a clearly defined vocabulary and standardized languages as means for accurately communicating vulnerability information among all the people involved.

Semantic technologies not only provide a tool for communication, but also a foundation for high-level reasoning and decision-making. Ontology, for instance, provides the potential of formal logic inference based on well-defined data and knowledge base. Ontology captures the relationships between collected data and use the explicit knowledge of concepts and relationships to deduce the implicit and inherent knowledge. As a matter of fact, a heavy-weight ontology could be defined as a formal logical system, as it includes concepts, concept taxonomies, relationships, properties, axioms and constraints.

Currently there is no standard method for ontology development [50]. We construct our ontology following the DL knowledge engineering methodology described in [35]. We also follow the design criteria for ontologies proposed by Gruber in [28] including clarity, coherence, extendibility, minimal encoding bias and minimal ontological commitment. The basis of our vulnerability ontology is built on the result of CVE (Common Vulnerabilities and Exposures) and its related protocols and standards including <item type="CAN" name="CVE-2008-5070"

seq="2008-5070"> <status>Candidate</status> <phase date="20081114">Assigned</phase> <desc> SQL injection vulnerability in Pro Chat Rooms 3.0.3, when magic_quotes_gpc is disabled,

allows remote attackers to execute arbitrary SQL commands

via the gud parameter to (1) index.php and (2) admin.php.

</desc> <refs> <ref source="MILW0RM" url="http://www.milw0rm.com/exp loits/6612">6612</ref> <ref source="BID" url="http://www.securityfocus.c om/bid/31463">31463</ref> </refs> <votes> </votes> <comments> </comments> 633 633 623 623 623 623 605 605 605 605 599

(4)

CWE (Common Weakness Enumeration), CPE (Common Platform Enumeration), and CAPEC (Common Attack Pattern Enumeration and Classification). In constructing our ontology, we first search in the NVD (National Vulnerability Database) and analyze hundreds of vulnerabilities in order to study how CVE describes the vulnerabilities.

As discussed in the previous subsection with CVE examples, we captured important concepts for describing vulnerabilities in the context of software security. Symbols and expressions like “VULNERABILITY”, “ATTACKER”, “COUNTERMEASURE” etc. are essential to characterize vulnerabilities, therefore, they should be defined in our vulnerability ontology. Figure 3 below shows the conceptual model of our vulnerability ontology. The detailed attributes of each concepts and sub-concepts are not depicted here for the clarity of the diagram.

Figure 3 The Concept Model of the Vulnerability Ontology The top level concepts of the ontology include: Vulnerability, IT Product, Attacker, Attack, Consequence, and Countermeasure. More specifically, a Vulnerability existing in an IT Product can be exploited by an Attacker through conducting an Attack action with the objective to compromise the IT Product and cause Consequence. Countermeasures can be used to protect the IT Product through mitigating the Vulnerability. We provide more details about these top level concepts in the next subsection below.

D. Top-Level Concepts

There are totally eleven top-level concepts in our vulnerability ontology as illustrated in Figure 3. We explain their definitions and relationships below.

(1) VulnerabilityVulnerability refers to the flaws, defects, or mistakes in software that can be directly used by a hacker to gain access to a system or network. CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system. This excludes those "open" security policies in which all users are trusted, or where there is no consideration of risk to the system.

An ontology subsumes taxonomies which are classification systems where the classification scheme conforms to a systematic arrangement into groups or categories according to established criteria [26]. The underlying idea of our design of vulnerability class takes the idea of the classification scheme “flaw by genesis”

from NRL taxonomy [36] with the objective to find the nature of the vulnerability. The other two classification schemes – “flaws by location” and “flaws by time of introduction” are served as the basis for the design of the other two concepts, Active_Location and Introduction_Phase, respectively, in our ontology.

Amoroso [37] and others have identified six properties as essential to taxonomy: mutually exclusive, exhaustive, unambiguous, repeatable, accepted, and useful. In order to better satisfy these properties and our design objectives, we choose the CWE research view, a classification system in CWE, to replace the original “flaws by genesis” classification scheme in NRL taxonomy. The CWE research view is intended to facilitate research into software weaknesses and is mainly organized according to abstractions of software behaviors and the resources that are manipulated by those behaviors, which aligns with MITRE’s research into vulnerability theory [49].

(1) Vulnerability Vulnerability Each common software weakness in CWE is identified by its CWE_ID. In our design, we take each weakness in CWE research view as a type of vulnerability, and thus a CVE vulnerability will become the instance of one or more types of vulnerabilities. We use an example to provide a more intuitive explanation of the structure of the vulnerability class: “CWE-398: Indicator of Poor Code Quality” (CVE-2008-4813) is a top level type of vulnerability in our vulnerability taxonomy; “CWE-399: Resource Management Errors” is a subclass of CWE-398 which illustrates some more detailed constraints on this type of vulnerability; “CVE-2008-4813” is a instance of the vulnerability type CWE-398. The structure of this example expressed in DL is as follows:

CWE-399 CWE-398 CWE-398 Vulnerability CWE-399(CVE-2008-4813).

(2) Introduction_Phase Introduction_Phase refers to the phases in the software development life cycle (SDLC), such as: requirements specification, design, coding, testing, integration, deployment, maintenance, etc, during which the vulnerability can be introduced. The taxonomy of this concept is based on the flaws by time of introduction from NRL taxonomy. For instance, the vulnerabilities of the type “CWE-399: Resource Management Errors” can be introduced in the phase of implementation in the SDLC. With further details of this concept, the relationship between vulnerability and development lifecycle can be further investigated.

(3) Active_Location Active_Location refers to the locations of the software system where the flaw manifests itself. For instance, one active location could be the system configuration files, where the vulnerability will be active during the system initialization. The taxonomy of this concept is based on the “flaws by location” from the NRL taxonomy. For example, the vulnerabilities of the type “CWE-399: Resource Management Errors” can be activated in the memory management module of the operating system.

(4) IT_Product IT_Product is the concept that subsumes an enumeration of IT products encoded in CVE vulnerability descriptions. Each instance of IT_Product can be reflected to an external entity of IT system in the real word. We differentiate the software products from the hardware products, and divide the software products into two types – operating systems products and application products. 634 634 624 624 624 624 606 606 606 606 600

(5)

(5) IT_Vendor IT_Vendor is the supplier of the IT_Product, who produces the instances of software products. The vendor can be a commercial IT company, an open source project, an academic institution, or an individual programmer. IT_Product together with IT_Vendor are the concepts that compose the targeted IT system that are described in the CVE vulnerability <desc> element. For example, the targeted IT system in CVE-2008-5044 is Microsoft Windows Server 2003 and Vista. We construct both concepts based on the Common Platform Enumeration (CPE), which is a structured naming scheme for information technology systems, platforms, and packages, in order to provide an unambiguous naming for each targeted IT system. The CPE name structure is listing as follows:

cpe:/{part}:{vendor}:{product}:{version}:{up date}:{edition}:{language}

The underlying idea is that best practices have greater utility when all participants share common names for the entities described and use of consistent and meaningful names can speed up application development, foster interoperability, improve correlation of test results, and ease gathering of metrics. Figure 4 below uses the targeted IT systems in CVE-2008-5112 to present design of the structure of these two concepts.

Figure 4 The targeted IT systems in CVE-2008-5112 The other key concepts and their definitions are omitted due to space limitation, which include Attack, Attack_Intent, Attack_Method,Attacker,Consequence, and Countermeasure. The basic properties of these concepts are also omitted due to space limitation.

IV. S

AMPLE

A

PPLICATIONS

After the designing of the conceptual model, we implement our ontology in OWL-DL [51] using Protégé [52], and instantiate it with knowledge in CVE, CPE, CWE, CAPEC. Our implementation also employs the Pellet [54 ] as the reasoner for OWL-DL reasoning tasks and use Jess [55 ] as the rule engine, and allowing writing Semantic Web Rule Language (SWRL) [53] to reason about OWL individuals and to infer new knowledge about those individuals.

From a logical point of view, our ontology is a knowledge representation system based on Description Logics, thus it is able to perform the basic reasoning tasks on both the TBox and ABox. The equivalence of OWL-DL and description logic allows OWL to exploit the existing body of DL reasoning to fulfill important logical requirements. These requirements include concept

satisfiability, class subsumption, class consistency, and instance checking.

In addition, with the concepts, axioms and basic properties that have been designed in the ontology, it is now able to use it to help discover the complex relationship among individuals, among concepts and among individuals and concepts. Take the discovering of similarity relationship between two vulnerabilities for example, we define the similarVulnerability relation as a binary relation between two vulnerabilities and its an “owl:TransitiveProperty” relation. When the relationship that two vulnerabilities can have the same genesis, can exist in the same IT product, can be exploited by the same kind of attackers and the same type of attack, and cause the same type of consequence, they will be recognized as an instance of similarVulnerability relation. The rule of similarVulnerability in SWRL would be as Figure 5:

Figure 5. The rule of the similarVulnerability in SWRL Rule-similarVulnerability: Vulnerability(?x) ^ Vulnerability(?y) ^ vulnerabilityName(?x, ?vn1) ^ vulnerabilityName(?y, ?vn2) ^ swrlb:notEqual(?vn1, ?vn2) ^ tbox:isSubClassOf(?vc, Vulnerability) ^ abox:hasClass(?x, ?vc) ^ abox:hasClass(?y, ?vc) ^ existInProduct(?x, ?p) ^ existInProduct(?y, ?p) ^ IT_Product(?p) ^ beExploitedBy(?x, ?z1) ^ beExploitedBy(?y, ?z2) ^ tbox:isSubClassOf(?zc, Attacker) ^ abox:hasClass(?z1, ?zc) ^ abox:hasClass(?z2, ?zc) ^

hasRelatedAttack(?x, ?a1) ^ hasRelatedAttack(?y, ?a2) ^

tbox:isSubClassOf(?ac, Attack) ^

This rule is executed by Jess and the result of executing this rule would have the effect of adding the similarVulnerability property to each Vulnerability individual that satisfies our conditions. Also, we can use SQWRL to query the ontology according to the rule above to help find the potential similar relationships between two Vulnerability instances. For example, we could query the vulnerabilities which are similar with the vulnerability “CVE-2008-0328” and the result shows that a vulnerability “CVE-2007-3652” can be a similar vulnerability of CVE-2008-0328. The query in SQWRL, the query result, and the description of two vulnerabilities in CVE are shown in Figure 6.

Figure 6. The result of the similarVulnerability Query

635 635 625 625 625 625 607 607 607 607 601

(6)

As similarVulnerability is defined as an “owl:TransitiveProperty” relation, we can then use the OWL transitive property reasoning rule (Figure 7) to help discover a chain of similar vulnerabilities.

Figure 7. OWL transitive property reasoning rule in SWRL The reasoning service provided by the ontology can not only be used to retrieve the explicit stated knowledge, but also can be used to infer implicit stated knowledge. For example, if Vulnerability A has been discovered and studied for a period of time while Vulnerability B is newly discovered, and after querying the ontology, we find that <A, B> can be recognized as an instance of similarVulnerability, then we can use the reasoning service to infer that B can be also exist in the IT products which have been explicit stated that have the “existIn” relation with A while haven’t been explicit stated the relation with B, furthermore, we might infer the consequences caused by B that might impact on those IT products.

Similar kinds of queries and reasoning could be very helpful when a new vulnerability is discovered and information about it is insufficient. With the querying of its potential similar vulnerabilities, knowledge related with those similar vulnerabilities can be referred to, so as quick actions could be taken to detect or mitigate the new vulnerability.

With the help of our ontology, more implicit knowledge and more complex and useful relationships could be expressed or discovered, enabling better study of the nature and the relationships of vulnerabilities.

V. C

ONCLUSIONS AND

D

ISCUSSION

Information security is such a complex topic that the sheer scope and volume of available security data overwhelms security professionals and high-level administrational personnel alike. This paper discusses the rationale of applying semantic technology to information security with a focus on software vulnerability management. With semantic technologies, we can describe the pattern of external threats and internal vulnerabilities formally and precisely. Based on this, we can make inference and make high-level decisions accordingly. We have constructed an ontology for security vulnerabilities, which defines the key concepts in vulnerability management and their relationships. We have introduced the design and reasoning within the ontology with examples in vulnerability analysis and assessment. The result of this paper provides a promising pathway to making security automation successful through semantic technologies.

Vulnerabilities of a computing system could be exploited for malicious purposes, resulting in the compromise of the system or the exposure of the confidential information on the system. New vulnerabilities are discovered everyday due to flaws in software, hardware, and system configuration. Vulnerability management is the process of detecting, analyzing, mitigating, and removing security vulnerabilities in computing systems. Successful vulnerability management makes computing system less susceptible to attacks, and effectively reduces the security risks. In this paper, we have stated the benefit of applying semantic technology to vulnerability management, and to information security in general. With this approach, the knowledge about vulnerability and security risks in an application area can be formalized and shared by the community and can be automatically

processed by the computers which advances the automation of security measurement.

We have focused our research on the problem domain of software vulnerability and construct our ontology based on the widely accepted standards like CVE, CPE, CWE and CAPEC. We illustrate the major design ideas of our ontology in this paper and examples are given as well in this paper to illustrate how the ontology can be populated with the knowledge from standards. In addition, we have given the example of similarVulneratility to demonstrate the benefit of using ontology to study the nature of vulnerabilities and the relationships between vulnerabilities and its related areas. We are continuing our research activity along this line, refining the design and implementation of the ontology, and populating the ontology with more knowledge and instances in order to further specify our ontology and use it to study the relationships between vulnerability and other related concepts. Moreover, as a future work, we will incorporate the knowledge from software development lifecycle, security policy and requirements, and risk management, into our ontology, via the integration and cooperation with other security ontology research in these areas, such that we can use the ontology to support high level security risk analysis, development lifecycle security enhancement and decision makings.

owl:TransitiveProperty(?A, ?B) ^ owl:TransitiveProperty(?B, ?C)

Æ owl:TransitiveProperty(?A, ?C)

ACKNOWLEDGMENT

This work was supported in part by the National Science Foundation (NSF) under Grant Number 0722157 and the CyberObject Corp. under the 2008-2009 project grant. We would like to thank Hao Wang, Min Xia, and Linfeng Zhou for their constructive comment and fruitful discussion.

R

EFERENCES

[1] V, “Near-Term Prospects for Semantic Technologies,” IEEE Intelligent Systems, January/February 2008, pp. 76-88.

[2] Tipton H. F. and Henry K. (Eds), Official (ISC)2_{Guide to the CISSP}

CBK, Auerbach Publication, ISBN: 0-8493-8231-9, 2007. [3] MITRE, Making Security

Measurable, http://measurablesecurity.mitre.org/.

[4] NHS and NIST, National Vulnerability Database, automating vulnerability management, security measurement, and compliance checking,http://nvd.nist.gov/scap.cfm.

[5] Ekelhart A. et al., “Security Ontologies: Improving Quantitative Risk Analysis,” in Proceedings of the 40th_{Annual Hawaii International}

Conference on System Sciences (HICSS’07), 2007.

[6] 2008 Semantic Technology Conference, May 18-22, 2008, San Jose, California, http://www.semantic-conference.com/.

[7] Semantic Discovery, http://www.semantichacker.com. September 20, 2008.

[8] Semantic

Journal, http://www.sandoval.ca:8080/SemanticWebJournal/Semantic

WebJournal.html. September 20, 2008.

[9] ISAP, Information Security Automation Program, Automating Vulnerability Management, Security Measurement, and Compliance, Version 1.0 Beta, revised on 5/22/2007.

[10] Mell P. and Quinn S, “Automating Compliance Checking, Vulnerability Management, and Security Measurement,” 2007 Information Assurance Workshop (IAWS) Presentation, 2007. [11] Computing Research Association (CRA), CRA Conference on

“Grand Research Challenges” in Computer Science and Engineering, June 23-26, 2002, Airlie House, Warrenton, Virginia.

http://www.cra.org/Activities/grand.challenges/.

[12] Goluch G. et al., “Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management,” in

Proceedings of the 41st_{Hawaii International Conference on System}

Sciences, 2008. 636 636 626 626 626 626 608 608 608 608 602

(7)

[13] Blanco C. et al., “A Systematic Review and Comparison of Security Ontologies,” in Proceedings of The Third International Conference on Availability, Reliability and Security, 2008.

[14] Associated Press, FAA Outage Reveals Odd Computing Practices, MIT Technology Review, August 29, 2008.

[15] NIST, Security Content Automation Protocol, Version 1.0 Beta, revised on May 22, 2007.

[16] NIST, Information Security Automation Program, Automating Vulnerability Management, Security Measurement, and Compliance, Version 1.0 Beta, revised on May 22, 2007.

[17] Babbin J. et al., Security Log Management, Identifying Patterns in the Chaos, Syngress Publishing, Inc. 2006.

[18] Peter Mell, Karen Scarfone, and Sasha Romanosky, A Complete Guide to the Common Vulnerability Scoring System (CVSS), Version 2.0, Forum of Incident Response and Security Teams, http://www.first.org/cvss/cvss-guide.html (July 2007).

l-[19] J. A. Wang, M. Xia, and F. Zhang, “Metrics for Information Security Vulnerabilities,Journal of Applied Global Research, Volume 1, No. 1, 2008, pp. 48-58.

[20] J. A. Wang, “Information Security Models and Metrics”, in

Proceedings of 43rd_{ACM Southeast Conference}_{, Volume 2, pp. 178 –}

184. ISBN: 1-59593-059-0. March 2005, Kennesaw, GA. [21] J.A.Wang, Fengwei Zhang and Min Xia, “Temporal Metrics for

Software Vulnerabilities,” in Proceedings of CSIIRW’08, May 12 – 14, 2008, Oak Ridge, TN, USA.

[22] Oracle Corporation, The Critical Patch

Update, http://www.oracle.com/technology/deploy/security/critica patch-updates/cpuoct2006.html

[23] CISCO Security Advisory: Application Inspection Vulnerability in CISCO Firewall Services

Module, http://www.cisco.com/en/US/products/products_security_ad

visory09186a008091b11d.shtml.

mitre.org/

[24] The MITRE Corporation, Common Vulnerabilities and Exposures, http://cve. .

o.ht

[25] Carlos Blanco et al., A Systematic Review and Comparison of Security Ontologies. The Third International Conference on Availability, Reliability and Security, 2008.

[26] J. Undercoffer, A. Joshi and J. Pinkston. Modeling Computer Attacks: An ontology for Intrusion Detection. In the sixth International Symposium on Recent Advances in Intrusion Detection. 2003. [27] Andreas Ekelhart, Stefan Fenz, Markus Klemen et al. Security

Ontologies: Improving Quantitative Risk Analysis. Proceedings of the 40th_{Annual Hawaii International Conference on System Science} (HICSS’07), 2007.

[28] T. Gruber. Towards Principles for the Design of Ontologies used for Knowledge Sharing. International Journal of Human-Computer Studies, 1995. 43(5/6): 907-928.

[29] G. Denker, L. Kagal, and T. Finin. Security in the Semantic Web using OWL. Security in the Semantic Web using OWL. Information Security Technical Report, 2005. 10(1): p. 51-58.

[30] A. Vorobiev and J. Han. Security Attack Ontology for Web Services. Proceedings of the Second International Conference on Semantics, Knowledge, and Grid SKG ’06. IEEE Computer Society, 2006: p.42. [31] Sea-Won Lee et al. Building Problem Domain Ontology from

Security Requirements in Regulatory Documents. In Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, 2006. ACM Press: Shanghai, China.

[32] Kim A., Security Ontology for Annotating Resources. In 4th International Conference on Ontologies, Databases, and Applications of Semantics (ODBASE’05). 2005.

[33] Steven Fenz et al., Ontology based IT-Security planning. Proceedings of the 12th_{Pacific Rim International Symposium on Dependable} Computing PRDC’06. IEEE Computer Society, 2006: p.289-290.

[34] Geneiatakis D et al., An ontology description for SIP security flaws. [35] Franz Baader et al. Description Logic Handbook: Theory,

Implementation and Application. Cambridge University Press, 2003. [36] C. Landwehr, A. Bull, J. McDermott, and W.Choi. A Taxonomy of

Computer Program Security Flaws. Computing Surveys, 1994, 26(3): pp. 211-254.

[37] E. G. Amoroso. Fundamentals of Computer Security Technology. Prentice-Hall PTR, 1994.

[38] A. Gomez-Perez et al. Ontological Engineering, 1st ed. London: Springer, 2004.

[39] Fernando Naufel do Amaral et al., An Ontology-based Approach to the Formalization of Information Security Policies. Proceedings of the 10th IEEE on International Enterprise Distributed Object Computing Conference Workshops EDOCW '06. IEEE Computer Society, 2006.

[40] Tsoumas, B. and D. Gritzalis, Towards an Ontologybased Security Management. Proceedings of the 20th International Conference on Advanced Information Networking and Applications. IEEE Computer Society, 2006. Volume 1 (AINA'06) - Volume 01 AINA '06. [41] Mouratidis, H., P. Giorgini, and G. Manson, An Ontology for

Modelling Security: The Tropos Approach, in Knowledge-Based Intelligent Information and Engineering Systems. 2003, Springer Berlin / Heidelberg. p. 1387-1394.

[42] Formal Threat Description for Enhancing Governmental Risk Analysis.

[43] Integration of an ontological information security concept in risk-aware business process management.

[44] Denker, G., et al., Security for DAML Web Services: Annotation and Matchmaking, in The SemanticWeb - ISWC 2003. 2003, Springer Berlin / Heidelberg. p. 335-350.

[45] Jie Bao, Giora Slutzki and Vasant Honavar. Privacy-Preserving Reasoning on the Semantic Web.

[46] A. Fuxman, P. Giorgini, M. Kolp, J. Mylopoulos. Information Systems as Social Structures. In Proceedings of the Second International Conference on Formal Ontologies for Information Systems (FOIS-2001), USA, 2001.

[47] E. Yu. Modeling Strategies Relationships for Process Reengineering. PhD Thesis, Department of Computer Science, University of Torento, Canada, 1995.

[48] A. Avizienis, J. –C. Laprie, B. Randell, and C. E. Landwehr. Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Trans. Dependable Sec. Comput. Vol. 1, No. !. pp. 11-33, 2004. [49] Steve Christey, Conor Harris, Bill Heinbockel. Introduction to

Vulnerability

Theory. http://cwe.mitre.org/documents/vulnerability_theory/intr ml.

[50] N. F. Noy and D. L. McGuinness. Ontology Development 101: Guide to Creating Your First Ontology. Standford K

A nowledge 05.

Systems Laboratory Technical Report KSL-01-[51] Web-Ontology (WebOnto) working

Group. http://www.w3.org/2001/sw/WebOnt/, November, 2008. [52] Protégé.http://protege.stanford.edu/, Novem

[53] SWRL: A Semantic Web Rule L Combining OWL and

ber, 2008. anguage

L/

RuleML.http://www.w3.org/Submission/SWR , November, 2008. DL

[54] Pellet: The Open Source OWL Reasoner.http://clarkparsia.com/pellet/. [55] Jess, the rule engine for the java

platform. http://herzberg.ca.sandia.gov/. 637 637 627 627 627 627 609 609 609 609 603